Does anyone have Symantec DLP configured as a data source? If so, is it parsing correctly by default, or did you have to write a custom parser for it to parse correctly? I have it configure as a data source, but all events are showing "umknown" even though the data appears to be getting parsed. Support is telling me I need to either submit a PER or write a custom parser to correct this.

No info here yet, I'm about to add ours in as a data source next week. I will follow up with you after. Until then, is there any documentation about getting it setup in the SIEM, I'm not familiar with the DLP application itself at all.